What are SPF qualifiers (e.g., +, -, ~, ?)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
When an SPF mechanism matches a connecting IP address, the qualifier in front of that mechanism determines what happens next. Think of qualifiers as the verdict: pass, fail, or something in between.
And there are four qualifiers:
+ (pass). The default. If a mechanism matches, the message passes SPF. You almost never write the + explicitly because it's assumed. include:esp.example.com and +include:esp.example.com mean the same thing.
- (fail / hard fail). The mechanism matches, and SPF says the message should be rejected. Used at the end of an SPF record as -all, it tells receiving servers: reject anything that doesn't match my authorized senders. Strong signal, strict enforcement.
~ (softfail). The mechanism matches, but SPF signals "this looks suspicious, but don't reject it outright." ~all at the end of a record is the most common softfail usage. Many receiving servers treat softfail as a spam scoring signal rather than a hard rejection. It's often used as a safer starting point while you're setting up and want to monitor before enforcing.
? (neutral). The mechanism matches, but SPF takes no position on whether it's legitimate or not. Essentially a "no comment." Rarely used in practice. If your record ends with ?all, you're not telling receivers anything useful about messages that don't match.
So In practice, the only qualifier most senders care about is choosing between ~all (softfail) and -all (hard fail) at the end of their record. If you have DMARC properly configured, -all is the right call. Without DMARC, ~all is the safer starting point because a hard fail on a misconfigured record can silently kill your legitimate email.
For a deeper look at the difference between these two, see -all vs ~all.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.